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(57) Abstract 



A data encryption/decryption device (20) for a host computer (10) has an encryption/decryption module (22) which is hard wired 
with an infrared interface (24) capable of communicaung with an infrared interface (14) at the host computer (10). The device (20) is 
for encrypting/decrypting data received from the computer (10) and transmitting it back to the computer (10), all via the infrared wireless 
communication link. The device (20) is in the form of a "credit card" sized token. 



FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT. 



AL 


Albania 


ES 


Spain 


LS 


Lesotho 


SI 


Slovenia 


AM 


Armenia 


FI 


Finland 


LT 


Lithuania 


SK 


Slovakia 


AT 


Austria 


FR 


France 


LU 


Luxembourg 


SN 


Senegal 


AU 


Australia 


GA 


Gabon 


LV 


Latvia 


sz 


Swaziland 


AZ 


Azerbaijan 


GB 


United Kingdom 


MC 


Monaco 


TO 


Chad 


BA 


Bosnia and Herzegovina 


GE 


Georgia 


MD 


Republic of Moldova 


TG 


Togo 


BB 


Barbados 


GH 


Ghana 


MG 


Madagascar 


TJ 


Tajikistan 


BE 


Belgium 


GN 


Guinea 


MK 


The former Yugoslav 


TM 


Turkmenistan 


BF 


Burkina Faso 


GR 


Greece 




Republic of Macedonia 


TR 


Turkey 


BG 


Bulgaria 


HU 


Hungary 


ML 


Mali 


TT 


Trinidad and Tobago 


BJ 


Benin 


IE 


Ireland 


MN 


Mongolia 


UA 


Ukraine 


BR 


Brazil 


IL 


Israel 


MR 


Mauritania 


UG 


Uganda 


BY 


Belarus 


IS 


Iceland 


MW 


Malawi 


US 


United States of America 


CA 


Canada 


IT 


Italy 


MX 


Mexico 


UZ 


Uzbekistan 


CF 


Central African Republic 


JP 


Japan 


NE 


Niger 


VN 


Viet Nam 


CG 


Congo 


KE 


Kenya 


NL 


Netherlands 


YU 


Yugoslavia 


CH 


Switzerland 


KG 


Kyrgyzstan 


NO 


Norway 


ZW 


Zimbabwe 


CI 


Cfltc d'lvorrc 


KP 


Democratic People's 


NZ 


New Zealand 






CM 


Cameroon 




Republic of Korea 


PL 


Poland 






CN 


China 


KR 


Republic of Korea 


PT 


Portugal 






CU 


Cuba 


KZ 


Kazakstan 


RO 


Romania 






CZ 


Czech Republic 


LC 


Saint Lucia 


RU 


Russian Federation 






DE 


Germany 


U 


Liechtenstein 


SD 


Sudan 






DK 


Denmark 


L.K 


Sri Lanka 


SE 


Sweden 






KK 


Estonia 




Liberia 


SG 


Singapore 







WO 99/35553 



PCT/GB99/00079 



Cryptographic Token 

The present invention relates to cryptographic tokens, and particularly to cryptographic 
tokens used in conjunction with computer systems. 

A cryptographic token is a device which is operative to carry out a cryptographic operation 
5 using secret data embedded in the token. Such a device can be used for authentication, the 
provision of a digital signature, or general encryption and decryption operations. It can be 
useful in financial and commercial transactions, which increasingly are controlled by 
computer, requiring some form of reliable authentication of the user to ensure that 
transactions are properly authorised. 

10 In known systems, cryptographic tokens are used in conjunction with a host computer which 
has its own cryptographic capability and which is able to carry out some form of 
interpretation of the information provided by the token. 

Cryptographic tokens may have to be placed in a slot in a host computer. On entry into the 
slot, conductive pads on the card engage with complementary contacts in the slot, so as to 

1 5 provide a direct physical contact. Although such an arrangement is technically satisfactory, 
it requires the user to perform the steps of inserting the card into the slot, waiting for 
processing of the card to cease, and removing the card from the slot. A user may wish to 
perform a number of operations using the token and, for convenience, may leave the token 
inside the slot until all of the operations are completed. At the end of use of the system, the 

20 user may forget to remove the token from the slot, rendering the system open to unauthorised 
use by a third party. Furthermore, the added steps involved in such a procedure may lead to 
the procedure being considered too inconvenient for efficient operation of the host system. 
That may lead to the operator of the host system ignoring the use of the token. 

According to the first aspect of the invention, there is provided a data encryption/decryption 

1 
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device for a host computer comprising encryption/decryption means for performing 
encryption/decryption operations on data to be used by the host computer and communication 
means for wireless communications with the host computer, wherein data from the host 
computer for encryption/decryption is received via the communication means and 
5 encrypted/decrypted by the encryption/decryption means, and the encrypted/decrypted data 
is transmitted back to the host computer via the communication means. 

The device according to the invention is particularly advantageous, in that it provides a host 
system with external cryptographic processing, that is to say, the host system does not need 
or may not have its own cryptographic capability. Thus, any host system, such as a standard 

10 PC, so long as it is capable of establishing a communications link with the device, can take 
advantage of its cryptographic processing. For example, the host system can rely upon the 
device for encryption of data which it wishes to send securely through an insecure network 
or it can rely on the device to decrypt encrypted data which it has received through a network. 
In either case, no further interpretation of the data needs to be carried out by the host system. 

15 What is more, all the cryptographic processing is done within the device, which is where the 
cryptographic information or keys are stored. Using the keys where they are stored is of 
benefit because having to move the keys around with the data, as in the case of prior art 
systems, means increased opportunity for interception and deciphering. 

By use of the device according to the invention, no physical connection is necessary, and so 
20 no slot need be provided in the host computer. Accordingly, the user of the system in 
accordance with the invention is less likely to leave the system unattended in an insecure 
state. 

Further aspects and advantages of the invention will now be described, with reference to the 
drawing in which: 

25 Figure 1 is a schematic view of a cryptographic security system in accordance with a 
preferred and specific embodiment of the invention. 
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A host computer 10, such as an IBM compatible personal computer with no cryptographic 
capability has a central processor 12 and is provided with an integrated infra-red interface 14, 
adapted to establish an infra-red communications link with an external device. 

The interface 14 is hard- wired 16 with the central processor 12, and can be implemented 
5 physically by a card inserted into one of the bays commonly provided inside a personal 
computer for cards such as modems, graphics cards or the like, or encapsulated in a package 
the same dimensions as a standard disk drive, for insertion in a bay provided for additional 
disk drives in the host computer 10. Alternatively, the interface can be implemented directly 
on the motherboard normally provided in a personal computer. Preferably, the package in 
10 which the interface 14 is provided is tamper evident and/or access resistant. 

A personal security token 20 comprises an encryption/decryption module 22, which in use 
is operative to perform one or more encryption/decryption operations, and an integrated infra- 
red interface 24 compatible with the interface 14 of the host computer 10. The interface 24 
is hard-wired 26 with the encryption/decryption module 22. The interfaces 14, 24 are 

15 operative to establish a wireless communications link 30 between the host computer 1 0 and 
the personal security token 20. The encryption/decryption module 22 is operative to encrypt 
un-encrypted data received from the host computer 10 on the wireless communications link 
or to decrypt encrypted data received from the host computer 10. In either instance, the 
encryption/decryption is performed using at least one key stored within the 

20 encryption/decryption module 22. After having been processed by the encryption/decryption 
module 22, the encrypted/decrypted data is transmitted to the host computer 10 on the 
wireless communication link 30, and the data is used by the host computer 1 0, for example, 
for onward transmission to another host or to update/modify software stored in the host 
computer. 

25 The encryption/decryption operations performed by the encryption/decryption module 22 are 
preferably performed in conjunction with software or hardware embedded in the host 
computer 10. 
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Preferably, the personal security token 20 is in the form of a "credit card" size piece of 
plastics material, but it may also be embodied on a badge, pendant or a signet-type ring. It 
may be attached to the person with a flexible member such as a lanyard. 
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Claims 

1. A data encryption/decryption device for a host computer comprising 
encryption/decryption means for performing encryption/decryption operations on 
data to be used by the host computer and communications means for wireless 
5 communication with the host computer, wherein data from the host computer for 

encryption/decryption is received via the communication means and 
encrypted/decrypted by the encryption/decryption means, and the 
encrypted/decrypted data is transmitted back to the host computer via the 
communication means. 

10 2. A device according to claim 1 wherein the host computer has no cryptographic 
"capability. 

3. A device according to claim 1 or claim 2 wherein at least one key for the 
encryption/decryption of data is stored within the encryption/decryption means. 

4. A device according to any of claims 1 to 3 wherein the communication means 
1 5 comprises an infra-red interface capable of communicating with an infra-red interface 

at the host computer. 

5. A device according to any of claims 1 to 4 which comprises a piece of plastics 
material, a badge, a pendant or a signet-type ring. 

6. A device according to claim 5 which is attached to a user by means of a flexible 
20 member. 
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